On 16 December 2025, the Council adopted a Decision formally opening the way for negotiations on a comprehensive framework agreement between the EU and the United States of America on the exchange of information for security screenings and identity verifications related to border procedures and visa applications. The Decision followed the respective Recommendation for such Council Decision tabled by the European Commission on 23 July 2025.

The EU's approach

The main parameters for the future agreement are set out as follows:

• The reciprocal exchange of information to assess whether travellers pose a risk to public security or public order. Any subsequent use of exchanged data for purposes such as addressing irregular migration or preventing, detecting, and combating serious crime or terrorism is only allowed where it is strictly necessary, duly authorised, and carried out within existing legal frameworks.
• The framework agreement must fully respect fundamental rights and comply with EU data protection rules, including the General Data Protection Regulation, the Law Enforcement Directive, and other relevant EU legislation, notably the Artificial Intelligence Act.
• The agreement will not replace or affect existing EU–US cooperation instruments in the fields of law enforcement and criminal justice, including agreements on the prevention and combating of serious crime (PCSC) and mutual legal assistance (MLA). Member States may conclude bilateral arrangements with the United States on matters covered by the framework agreement, provided that such arrangements are compatible with EU law.

In line with existing treaty opt-outs, Denmark and Ireland are not taking part.

The framework agreement is necessitated because the US changed the requirements for its Visa Waiver Program. Accordingly, countries are required to conclude an "Enhanced Border Security Partnership" (EBSP) with the U.S. Department of Homeland Security.

The EDPS Opinion

The European Data Protection Supervisor (EDPS) provided an opinion on the planned deal on 17 September 2025. He noted that the proposed framework agreement would set an important precedent, as it would be the first EU agreement involving large-scale sharing of personal data, including biometric data, for border and immigration control purposes by a third country. He therefore stressed the need to ensure that any data processing remain strictly necessary and proportionate.

While generally supporting the establishment of a common EU–US framework with Union-level safeguards, the EDPS called on the Commission and the Council to take into account a number of specific recommendations, including the following:

• Fundamental rights impact assessment: Conduct an in-depth fundamental rights impact assessment of both the proposed framework agreement and the Enhanced Border Security Partnerships with the United States. The level of interference with individual rights should be considered comparable to that of data exchanges for law enforcement purposes.
• Narrow and clearly defined scope: Define the personal scope of the framework agreement exhaustively and narrowly, taking into account existing prohibitions on data sharing under EU law.
• Strict limits on data categories: Clearly and comprehensively circumscribe the categories of personal data that may be exchanged, including any supplementary information provided to US authorities.
• Protection of EU large-scale IT systems: Explicitly exclude any direct or indirect sharing or transfer of data from EU large-scale IT systems in the area of justice and home affairs, in particular those related to migration and asylum.
• Strong accountability and transparency safeguards: Ensure clear and specific justification for each data query, robust accountability mechanisms, and transparency obligations for both EU and US authorities.
• Safeguards for Member States and individuals: Provide a legal possibility for Member States to refuse data sharing in individual cases and ensure access to effective judicial redress in the USA, regardless of an individual’s citizenship or the purpose of the data processing.

Further criticism

The plan for the framework agreement in the context of the EBSP also met criticism in media and by civil society organisations. As Euractiv reported, the EU institutions involved seem to have nearly no reservations to share personal data with the US, including sensitive data of EU citizens. Concerns have also been raised regarding the possibility that EU Member States can engage in direct talks with the US administration to conclude their own agreements within the EU framework. Recent events, such as the sanctioning by the US administration of Commission officials and EU citizens involved in lawmaking and advocacy work, have further fueled these concerns.

Statewatch criticised that the agreement would massively expand data-sharing via US access to EU Member State's law enforcement databases and go beyond what is necessary under the Visa-Waiver Program. It also stated that it is quite unclear how the Commission would ensure that the EU data protection safeguards are built in. "US privacy law ostensibly designed to provide redress to Europeans was already insufficient, even before the Trump administration’s ongoing demolition of privacy and data protection standards – not to mention the broader erasure of the rule of law within the US", Statewatch said.